Cloud routers

With a cloud router, you can:

route traffic between private subnets. All private subnets connected to the same router can communicate with each other and use the router's IP address as the default route;
configure Internet access for devices in the private subnet (outgoing traffic) and from the Internet (incoming traffic), more details in the instructions Configure Internet access and from the Internet. The cloud router performs 1:1 NAT function via an external IP address that is allocated when the router is connected to the Internet: it organizes Internet access from the private subnet and processes incoming traffic packets for public IP addresses.

You can configure static routes on the cloud router.

A cloud router can only be used within one project and one pool.

Cloud routers have a limit on the amount of traffic - bandwidth. You can see it in the Bandwidth table.

You can work with cloud routers in the control panel, using the OpenStack CLI or Terraform.

Create a cloud router

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
Click Create router.
Select the pool where the cloud router will be created.
Enter the name of the router.
Optional: check the Connect router to the Internet checkbox - an external IP address will be assigned to the router.
Click Create.

Open the OpenStack CLI.
Create a cloud router:
```
openstack router create <router_name>
```
Specify <router_name> - the name of the cloud router..
Optional: connect the cloud router to the Internet - an external IP address will be assigned to the router:
```
openstack router set --external-gateway external-network <router>
```
Specify <router> - The ID or name of the cloud router, can be viewed using the openstack router list command.

Connect a subnet to the cloud router

To allow private subnets from different networks to communicate with each other, they must be connected to the same cloud router. The subnets must not overlap - they must not have the same IP addresses.

To configure devices on private subnets to access the Internet and from the Internet, use the instructions Configure Internet and Internet Access.

Control Panel
OpenStack CLI

In the Dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
Open the router page.
Click Connect Subnet.
Select a private subnet or a global router subnet.
Optional: Enter the IP address of the router - any free IP address from the subnet. If you do not specify an IP address, it will be automatically selected from free subnet addresses.

To allow devices on the subnet to access the Internet without configuring additional routes, the IP address of the cloud router must match the gateway of the private subnet. If the subnet gateway is already busy, you will need to configure a static route through the cloud router on the subnet to access the Internet.

You can view the subnet gateway in the Control Panel: in the top menu, click Products → Cloud Servers → Network → Private Networks tab → Network page → Subnets tab → Subnet card → Automatic Network Settings block → Subnet Gateway field.
Click Connect.

Open the OpenStack CLI.
Connect the subnet to the cloud router:
```
openstack router add subnet <router> <subnet>
```
Specify:
- <router> - The ID or name of the cloud router can be viewed with the command openstack router list;
- <subnet> - The ID or name of a private subnet can be viewed with the command openstack subnet list.

Disconnect the subnet from the cloud router

You cannot disconnect a subnet from a cloud router if:

The router handles traffic for the public IP addresses of devices on this subnet;
there are static routes on the router that specify the IP addresses of this subnet as next-hop.

Control panel
OpenStack CLI

In the Dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
Open the router page → Ports tab.
On the port line of the desired subnet, click .
Click Delete.

Open the OpenStack CLI.
Disconnect the subnet from the cloud router:
```
openstack router remove subnet <router> <subnet>
```
Specify:
- <router> - The ID or name of the cloud router can be viewed with the command openstack router list;
- <subnet> - The ID or subnet name can be viewed with the command openstack subnet list

Connect the cloud router to the Internet

To configure Internet access for devices on a private subnet, the subnet must be connected to a cloud router with Internet access. To access the Internet, the router is connected to an external network (external-network) and is assigned an external IP address through which the router will perform a 1:1 NAT function.

The router's external IP address cannot be used to access devices behind the router from the Internet. It is only used to allow devices to access the Internet through the router.

To configure access from the Internet to devices, use a public IP address or a public subnet, see the instructions Configure access to and from the Internet for details.

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
From the menu of the cloud router, select Connect to Internet.

Open the OpenStack CLI.
Connect the cloud router to the internet:
```
openstack router set --external-gateway external-network <router>
```
Specify <router> - The ID or name of the cloud router, can be viewed using the openstack router list command.

Disconnect the cloud router from the Internet

If you disconnect the Cloud Router from the Internet, its external IP address will return to the address pool. When you reconnect, the IP address will change.

A cloud router cannot be disconnected from the Internet if it handles traffic for public IP addresses.

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
From the menu of the cloud router, select Disconnect from Internet.
Click Disable.

Open the OpenStack CLI.
Disconnect the cloud router from the internet:
```
openstack router unset --external-gateway <router>
```
Specify <router> - The ID or name of the cloud router, can be viewed using the openstack router list command.

Assign a firewall to a cloud router port

warning

Inbound and outbound traffic that is not allowed in the cloud firewall rules will be denied on the cloud router port. Active sessions on the router will be interrupted, which cannot be set by the new rules.

You cannot assign more than one firewall to a single router port.

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
Open the cloud router page.
In the port line of the private subnet for which you want to configure traffic filtering, in the Firewall field, click .
Select a firewall.
Click Save.

Open the OpenStack CLI.
Assign a firewall to the cloud router port:
```
openstack firewall group set --port <router_port> <firewall>
```
Specify:
- <router_port> - The ID or port name of the router to which the firewall will be assigned can be viewed with the command openstack port list. To assign a firewall to multiple router ports, list their IDs or names with a space;
- <firewall> - The ID or name of the firewall can be viewed with the command openstack firewall group list.

Disconnect the firewall from the cloud router port

warning

Cloud firewall rules will no longer apply - all inbound and outbound traffic that passes through the cloud router port will be allowed.

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
Open the router page.
In the port string of the private subnet for which you configured traffic filtering, in the Firewall field, click .
Select No firewall.
Click Save.

Open the OpenStack CLI.
Disconnect the firewall from the router port:
```
openstack firewall group unset --port <router_port> <firewall>
```
Specify:
- <router_port> - The ID or port name of the router from which the firewall will be disconnected can be viewed with the command openstack port list;
- <firewall> - The ID or name of the firewall can be viewed with the command openstack firewall group list.

Turn on the cloud router

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
In the cloud router card, turn on the router.

Open the OpenStack CLI.
Turn on the cloud router:
```
openstack router set --enable <router>
```
Specify <router> - The ID or name of the router, can be viewed using the openstack router list command.

Turn off the cloud router

The router cannot be turned off if it is handling traffic for a public IP address.

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
In the cloud router card, turn off the router.

Open the OpenStack CLI.
Turn off the cloud router:
```
openstack router set --disable <router>
```
Specify <router> - The ID or name of the cloud router, can be viewed using the openstack router list command.

Remove the cloud router

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to Network → Cloud routers tab.
Disconnect all connected subnets from the router by removing the ports of all subnets from the router:

3.1 Open the router page → Ports tab.

3.2 On the line of any port, click .

3.3 Click Delete.

3.4 Repeat steps 3.2-3.3 for all remaining ports.
From the router ' menu, select Remove Router.
Click Delete.

Open the OpenStack CLI.
If subnets are connected to the router, delete the router ports:
```
openstack router remove port <router> <port_id>
```
Specify:
- <router> - The ID or name of the cloud router can be viewed with the command openstack router list;
- <port_id> - The ID of the port connected to the router can be viewed with the command openstack port list --router <router>.
Remove the router:
```
openstack router delete <router>
```